Adobe has admitted that it is taking longer than expected to alert tens of millions of customers that their data may have been leaked in a security breach.

The company discovered evidence of an attack on September 17 and went public with the news on October 3, when it "immediately" started to inform those affected. But some have still not been alerted, 10 weeks later, potentially leaving them more vulnerable to identity theft.

"Email notifications are taking longer than we anticipated," said Adobe spokesman Heather Edell, speaking to Reuters.

The problem is apparently caused by the need to limit the number of emails sent at once, in order to prevent them being marked as mass spam by email providers.

So far only 2.9 million of those affected have been informed, some by letter and some by email.

It is reported that details of 152 million Adobe ID accounts have been available online for several weeks, but the company claims that the breach affected a backup server so many of the details are old; 25 million have invalid email addresses and a further 18 million have since-changed passwords.

Adobe also says that "a large percentage" of the details were false and entered by people looking to download free software.

Last month the company behind popular deskop software Photoshop, InDesign and Acrobat claimed that the number of real users affected was 38 million.

Chester Wisniewski, a senior security advisor at anti-virus software maker Sophos, told Reuters: "This is a pretty massive screw-up. Anybody can go and download the list. It's not a secret."

Source code for Adobe products including Acrobat, ColdFusion, and ColdFusion Builder were also stolen in the security breach. Security expert Graham Cluley highlighted fears at the time that malicious hackers could examine the code and attempt to find flaws and vulnerabilities that they can exploit.

"It should go without saying that no software company ever wants to have criminals steal its source code – it is, after all, the technology equivalent of losing the Crown Jewels," he said.

Facebook engineers have scanned the leaked details to look for users registered on both sites with the same password, sending them a notification that they should change their details.